@ekkos/cli 1.3.9 → 1.4.1

package/dist/commands/setup-ci.js

@@ -0,0 +1,107 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setupCiCommand = setupCiCommand;
+const chalk_1 = __importDefault(require("chalk"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const WORKFLOW_CONTENT = `name: ekkOS Cortex Validation
+
+on:
+  push:
+    branches: [main, master]
+    paths:
+      - '**/ekkOS_CONTEXT.md'
+  pull_request:
+    branches: [main, master]
+    paths:
+      - '**/ekkOS_CONTEXT.md'
+
+jobs:
+  validate-cortex:
+    name: Validate Cortex Docs
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Validate Cortex docs
+        run: npx @google/gemini-cli docs validate
+        
+      - name: Add validation summary
+        if: always()
+        run: |
+          echo "### ekkOS Cortex Validation" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "Validated \`ekkOS_CONTEXT.md\` files across the repository." >> "$GITHUB_STEP_SUMMARY"
+          if [ "\${{ job.status }}" = "success" ]; then
+            echo "**Result:** All Cortex checks passed." >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "**Result:** Some Cortex checks failed. See logs for details." >> "$GITHUB_STEP_SUMMARY"
+          fi
+`;
+async function setupCiCommand(options) {
+    const repoRoot = options.repoRoot || process.cwd();
+    const workflowsDir = path.join(repoRoot, '.github', 'workflows');
+    const workflowFile = path.join(workflowsDir, 'ekkos-cortex-validation.yml');
+    console.log(chalk_1.default.cyan.bold('\n  ekkOS Cortex CI/CD Setup'));
+    console.log(chalk_1.default.gray('  ─────────────────────────'));
+    if (!fs.existsSync(workflowsDir)) {
+        fs.mkdirSync(workflowsDir, { recursive: true });
+        console.log(chalk_1.default.gray(`  Created directory: .github/workflows`));
+    }
+    if (fs.existsSync(workflowFile)) {
+        console.log(chalk_1.default.yellow(`  ⚠️  Workflow file already exists at: .github/workflows/ekkos-cortex-validation.yml`));
+        console.log(chalk_1.default.gray(`  Skipping creation to avoid overwriting.`));
+        return 0;
+    }
+    fs.writeFileSync(workflowFile, WORKFLOW_CONTENT, 'utf-8');
+    console.log(chalk_1.default.green(`  ✓ Created GitHub Actions workflow: .github/workflows/ekkos-cortex-validation.yml`));
+    console.log('');
+    console.log(chalk_1.default.gray('  This workflow will automatically run `ekkos docs validate` on pull requests'));
+    console.log(chalk_1.default.gray('  and pushes that modify any ekkOS_CONTEXT.md (Cortex) file in your repository.'));
+    console.log('');
+    return 0;
+}

package/dist/commands/validate-living-docs.d.ts

@@ -0,0 +1,27 @@
+/**
+ * ekkOS Cortex — Living Docs Validator
+ *
+ * Validates all ekkOS_CONTEXT.md files in the repository against 12 checks:
+ *   1. Frontmatter exists
+ *   2. Required fields present
+ *   3. Content hash matches body
+ *   4. AUTOGENERATED markers present
+ *   5. Confidence value valid
+ *   6. No secrets leaked
+ *   7. Token budget respected
+ *   8. Dream quarantine enforced
+ *   9. No invented file paths
+ *  10. Staleness check
+ *  11. Connected system_ids valid
+ *  12. No PII
+ *
+ * Usage:
+ *   npx tsx validate.ts                       # validate all
+ *   npx tsx validate.ts --fix                 # auto-fix what's possible
+ *   npx tsx validate.ts --system=apps-proxy   # validate one system
+ */
+export declare function validateLivingDocsCommand(options: {
+    repoRoot: string;
+    fix: boolean;
+    systemFilter?: string;
+}): Promise<number>;

package/dist/commands/validate-living-docs.js

@@ -0,0 +1,489 @@
+"use strict";
+/**
+ * ekkOS Cortex — Living Docs Validator
+ *
+ * Validates all ekkOS_CONTEXT.md files in the repository against 12 checks:
+ *   1. Frontmatter exists
+ *   2. Required fields present
+ *   3. Content hash matches body
+ *   4. AUTOGENERATED markers present
+ *   5. Confidence value valid
+ *   6. No secrets leaked
+ *   7. Token budget respected
+ *   8. Dream quarantine enforced
+ *   9. No invented file paths
+ *  10. Staleness check
+ *  11. Connected system_ids valid
+ *  12. No PII
+ *
+ * Usage:
+ *   npx tsx validate.ts                       # validate all
+ *   npx tsx validate.ts --fix                 # auto-fix what's possible
+ *   npx tsx validate.ts --system=apps-proxy   # validate one system
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateLivingDocsCommand = validateLivingDocsCommand;
+const supabase_js_1 = require("@supabase/supabase-js");
+const crypto_1 = require("crypto");
+const promises_1 = require("fs/promises");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const child_process_1 = require("child_process");
+// ── Constants ────────────────────────────────────────────────────────────
+const REQUIRED_FIELDS = [
+    'system_id',
+    'domain',
+    'status',
+    'last_compiled_at',
+    'content_hash',
+    'confidence',
+];
+const VALID_CONFIDENCE = ['high', 'medium', 'low'];
+const SECRET_PATTERNS = [
+    /sk-[a-zA-Z0-9]{20,}/, // OpenAI keys
+    /ghp_[a-zA-Z0-9]{36,}/, // GitHub PATs
+    /Bearer\s+[a-zA-Z0-9._\-]{20,}/, // Bearer tokens
+    /postgres:\/\/[^\s]+/, // Postgres connection strings
+    /mongodb(\+srv)?:\/\/[^\s]+/, // MongoDB connection strings
+    /AKIA[0-9A-Z]{16}/, // AWS access keys
+    /[a-zA-Z0-9\/+]{40}(?=\s|$)/, // AWS secret keys (40-char base64)
+    /eyJ[a-zA-Z0-9_-]{30,}\.[a-zA-Z0-9_-]{30,}/, // JWT tokens
+    /xoxb-[0-9]{10,}-[a-zA-Z0-9]{20,}/, // Slack bot tokens
+    /sk_live_[a-zA-Z0-9]{20,}/, // Stripe keys
+    /redis:\/\/[^\s]+/, // Redis connection strings
+];
+const PII_PATTERNS = [
+    /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/, // Email addresses
+    /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/, // IP addresses
+    /\/Users\/[a-zA-Z0-9._-]+\//, // macOS absolute user paths
+    /\/home\/[a-zA-Z0-9._-]+\//, // Linux absolute user paths
+    /C:\\Users\\[a-zA-Z0-9._-]+\\/, // Windows absolute user paths
+];
+const AUTOGENERATED_START = 'EKKOS_AUTOGENERATED_START';
+const AUTOGENERATED_END = 'EKKOS_AUTOGENERATED_END';
+const DREAM_QUARANTINE_START = 'EKKOS_DREAM_QUARANTINE_START';
+const DREAM_QUARANTINE_END = 'EKKOS_DREAM_QUARANTINE_END';
+const TOKEN_BUDGET_CHARS = 12000; // ~3000 tokens
+const STALENESS_DAYS = 30;
+// ── Frontmatter Parser ──────────────────────────────────────────────────
+function parseFrontmatter(content) {
+    const match = content.match(/^---\n([\s\S]*?)\n---\n?([\s\S]*)$/);
+    if (!match)
+        return { frontmatter: null, body: content };
+    const rawYaml = match[1];
+    const body = match[2];
+    // Simple YAML parser (key: value lines)
+    const frontmatter = {};
+    for (const line of rawYaml.split('\n')) {
+        const kv = line.match(/^([a-z_]+):\s*(.*)$/);
+        if (kv) {
+            const [, key, value] = kv;
+            // Handle arrays like source_event_ids: []
+            if (value === '[]') {
+                frontmatter[key] = [];
+            }
+            else if (value.startsWith('[')) {
+                try {
+                    frontmatter[key] = JSON.parse(value);
+                }
+                catch {
+                    frontmatter[key] = value;
+                }
+            }
+            else {
+                frontmatter[key] = value;
+            }
+        }
+    }
+    return { frontmatter, body };
+}
+// ── Body Extraction ─────────────────────────────────────────────────────
+function extractAutogeneratedBody(content) {
+    const startPattern = new RegExp(`<!--\\s*${AUTOGENERATED_START}\\s+[a-f0-9]+\\s*-->`);
+    const endPattern = new RegExp(`<!--\\s*${AUTOGENERATED_END}\\s*-->`);
+    const startMatch = content.match(startPattern);
+    const endMatch = content.match(endPattern);
+    if (!startMatch || !endMatch)
+        return null;
+    const startIdx = content.indexOf(startMatch[0]) + startMatch[0].length;
+    const endIdx = content.indexOf(endMatch[0]);
+    if (endIdx <= startIdx)
+        return null;
+    return content.substring(startIdx, endIdx);
+}
+// ── Hash Computation ────────────────────────────────────────────────────
+function computeHash(body) {
+    return (0, crypto_1.createHash)('sha256').update(body.trim()).digest('hex');
+}
+// ── File Discovery ──────────────────────────────────────────────────────
+function findContextFiles(repoRoot, systemFilter) {
+    try {
+        const cmd = `find "${repoRoot}" -name "ekkOS_CONTEXT.md" -not -path "*/node_modules/*" -not -path "*/.next/*" -not -path "*/dist/*" -not -path "*/out/*" -not -path "*/.turbo/*" -not -path "*/.cache/*"`;
+        const output = (0, child_process_1.execSync)(cmd, { encoding: 'utf-8', maxBuffer: 10 * 1024 * 1024 });
+        let files = output.trim().split('\n').filter(Boolean);
+        if (systemFilter) {
+            // Filter to files whose frontmatter system_id matches
+            files = files.filter(f => {
+                try {
+                    const content = (0, fs_1.readFileSync)(f, 'utf-8');
+                    const { frontmatter } = parseFrontmatter(content);
+                    return frontmatter?.system_id === systemFilter;
+                }
+                catch {
+                    return false;
+                }
+            });
+        }
+        return files;
+    }
+    catch {
+        return [];
+    }
+}
+// ── Individual Checks ───────────────────────────────────────────────────
+function checkFrontmatterExists(file, content) {
+    const { frontmatter } = parseFrontmatter(content);
+    return {
+        check: 'frontmatter-exists',
+        file,
+        passed: frontmatter !== null,
+        reason: frontmatter === null ? 'No YAML frontmatter found between --- markers' : undefined,
+    };
+}
+function checkRequiredFields(file, content) {
+    const { frontmatter } = parseFrontmatter(content);
+    if (!frontmatter) {
+        return { check: 'required-fields', file, passed: false, reason: 'No frontmatter to check' };
+    }
+    const missing = REQUIRED_FIELDS.filter(f => frontmatter[f] === undefined || frontmatter[f] === '');
+    return {
+        check: 'required-fields',
+        file,
+        passed: missing.length === 0,
+        reason: missing.length > 0 ? `Missing fields: ${missing.join(', ')}` : undefined,
+    };
+}
+function checkContentHash(file, content, fix) {
+    const { frontmatter } = parseFrontmatter(content);
+    if (!frontmatter?.content_hash) {
+        return { check: 'content-hash', file, passed: false, reason: 'No content_hash in frontmatter' };
+    }
+    const body = extractAutogeneratedBody(content);
+    if (body === null) {
+        return { check: 'content-hash', file, passed: false, reason: 'Cannot extract autogenerated body' };
+    }
+    const computed = computeHash(body);
+    const matches = computed === frontmatter.content_hash;
+    if (!matches && fix) {
+        // Auto-fix: replace the content_hash in frontmatter and in the START marker
+        const fixed = content
+            .replace(`content_hash: ${frontmatter.content_hash}`, `content_hash: ${computed}`)
+            .replace(new RegExp(`${AUTOGENERATED_START}\\s+${frontmatter.content_hash}`), `${AUTOGENERATED_START} ${computed}`);
+        (0, fs_1.writeFileSync)(file, fixed, 'utf-8');
+        return { check: 'content-hash', file, passed: true, fixApplied: true };
+    }
+    return {
+        check: 'content-hash',
+        file,
+        passed: matches,
+        reason: !matches ? `Hash mismatch: expected ${frontmatter.content_hash}, computed ${computed}` : undefined,
+    };
+}
+function checkAutogeneratedMarkers(file, content) {
+    const hasStart = content.includes(AUTOGENERATED_START);
+    const hasEnd = content.includes(AUTOGENERATED_END);
+    const both = hasStart && hasEnd;
+    let reason;
+    if (!hasStart && !hasEnd)
+        reason = 'Both START and END markers missing';
+    else if (!hasStart)
+        reason = 'START marker missing';
+    else if (!hasEnd)
+        reason = 'END marker missing';
+    return { check: 'autogenerated-markers', file, passed: both, reason };
+}
+function checkConfidenceValid(file, content) {
+    const { frontmatter } = parseFrontmatter(content);
+    if (!frontmatter?.confidence) {
+        return { check: 'confidence-valid', file, passed: false, reason: 'No confidence field' };
+    }
+    const valid = VALID_CONFIDENCE.includes(frontmatter.confidence);
+    return {
+        check: 'confidence-valid',
+        file,
+        passed: valid,
+        reason: !valid ? `Invalid confidence "${frontmatter.confidence}"; must be one of: ${VALID_CONFIDENCE.join(', ')}` : undefined,
+    };
+}
+function checkNoSecrets(file, content) {
+    const body = extractAutogeneratedBody(content) || content;
+    const found = [];
+    for (const pattern of SECRET_PATTERNS) {
+        const match = body.match(pattern);
+        if (match) {
+            // Redact the match for the error message
+            const redacted = match[0].substring(0, 8) + '...' + match[0].substring(match[0].length - 4);
+            found.push(`${pattern.source.substring(0, 20)}... → "${redacted}"`);
+        }
+    }
+    return {
+        check: 'no-secrets',
+        file,
+        passed: found.length === 0,
+        reason: found.length > 0 ? `Potential secrets found: ${found.join('; ')}` : undefined,
+    };
+}
+function checkTokenBudget(file, content) {
+    const body = extractAutogeneratedBody(content);
+    if (body === null) {
+        return { check: 'token-budget', file, passed: true }; // Can't check without markers
+    }
+    const charCount = body.trim().length;
+    const passed = charCount <= TOKEN_BUDGET_CHARS;
+    return {
+        check: 'token-budget',
+        file,
+        passed,
+        reason: !passed ? `Body is ${charCount} chars (~${Math.round(charCount / 4)} tokens), exceeds budget of ${TOKEN_BUDGET_CHARS} chars (~2000 tokens)` : undefined,
+    };
+}
+function checkDreamQuarantine(file, content) {
+    const body = extractAutogeneratedBody(content) || content;
+    // Check if Dream Forge section exists
+    const hasDreamSection = body.includes('## Dream Forge Hypotheses');
+    if (!hasDreamSection) {
+        return { check: 'dream-quarantine', file, passed: true }; // No dreams, no problem
+    }
+    // Check quarantine markers
+    const hasStart = body.includes(DREAM_QUARANTINE_START);
+    const hasEnd = body.includes(DREAM_QUARANTINE_END);
+    if (!hasStart || !hasEnd) {
+        return {
+            check: 'dream-quarantine',
+            file,
+            passed: false,
+            reason: `Dream Forge section exists but missing quarantine markers (${DREAM_QUARANTINE_START}/${DREAM_QUARANTINE_END})`,
+        };
+    }
+    // Check that dream-related keywords don't appear outside the quarantine zone
+    const quarantineStartIdx = body.indexOf(DREAM_QUARANTINE_START);
+    const quarantineEndIdx = body.indexOf(DREAM_QUARANTINE_END);
+    const beforeQuarantine = body.substring(0, quarantineStartIdx);
+    // Look for speculative language that should only be in Dream section
+    const speculativePatterns = [
+        /\bovernight consolidation\b/i,
+        /\bnot yet validated\b/i,
+        /\bhypothes[ie]s?\b/i,
+    ];
+    const leaks = [];
+    for (const pattern of speculativePatterns) {
+        if (pattern.test(beforeQuarantine)) {
+            leaks.push(pattern.source);
+        }
+    }
+    return {
+        check: 'dream-quarantine',
+        file,
+        passed: leaks.length === 0,
+        reason: leaks.length > 0 ? `Speculative content found outside Dream quarantine zone: ${leaks.join(', ')}` : undefined,
+    };
+}
+function checkNoInventedPaths(file, content, repoRoot) {
+    const body = extractAutogeneratedBody(content) || content;
+    // Extract the system directory from the file path
+    const systemDir = (0, path_1.dirname)(file);
+    const relSystemDir = (0, path_1.relative)(repoRoot, systemDir);
+    // Find "Key Files" section and extract file references
+    const keyFilesMatch = body.match(/## Key Files\n([\s\S]*?)(?=\n## |\n<!-- |$)/);
+    if (!keyFilesMatch) {
+        return { check: 'no-invented-paths', file, passed: true }; // No Key Files section
+    }
+    const keyFilesSection = keyFilesMatch[1];
+    // Match backtick-wrapped file paths or numbered list items with file paths
+    const pathPattern = /`([a-zA-Z0-9._\-/]+\.[a-zA-Z0-9]+)`/g;
+    const invented = [];
+    let pathMatch;
+    while ((pathMatch = pathPattern.exec(keyFilesSection)) !== null) {
+        const refPath = pathMatch[1];
+        // Check relative to the system directory
+        const absPath = (0, path_1.join)(systemDir, refPath);
+        // Also check relative to repo root
+        const absPathFromRoot = (0, path_1.join)(repoRoot, relSystemDir, refPath);
+        if (!(0, fs_1.existsSync)(absPath) && !(0, fs_1.existsSync)(absPathFromRoot)) {
+            // Also try just the filename in the system dir
+            const justFilename = (0, path_1.join)(systemDir, refPath.split('/').pop() || '');
+            if (!(0, fs_1.existsSync)(justFilename)) {
+                invented.push(refPath);
+            }
+        }
+    }
+    return {
+        check: 'no-invented-paths',
+        file,
+        passed: invented.length === 0,
+        reason: invented.length > 0 ? `File paths not found: ${invented.join(', ')}` : undefined,
+    };
+}
+function checkStaleness(file, content) {
+    const { frontmatter } = parseFrontmatter(content);
+    if (!frontmatter?.last_compiled_at) {
+        return { check: 'staleness', file, passed: false, reason: 'No last_compiled_at field' };
+    }
+    const compiledAt = new Date(frontmatter.last_compiled_at);
+    const now = new Date();
+    const daysDiff = (now.getTime() - compiledAt.getTime()) / (1000 * 60 * 60 * 24);
+    return {
+        check: 'staleness',
+        file,
+        passed: daysDiff <= STALENESS_DAYS,
+        reason: daysDiff > STALENESS_DAYS
+            ? `Last compiled ${Math.round(daysDiff)} days ago (threshold: ${STALENESS_DAYS} days)`
+            : undefined,
+    };
+}
+async function checkConnectedSystems(file, content, knownSystemIds) {
+    const body = extractAutogeneratedBody(content) || content;
+    // Find Connected Systems section
+    const connectedMatch = body.match(/## Connected Systems\n([\s\S]*?)(?=\n## |\n<!-- |$)/);
+    if (!connectedMatch) {
+        return { check: 'connected-systems', file, passed: true }; // No section
+    }
+    if (!knownSystemIds) {
+        return { check: 'connected-systems', file, passed: true, reason: 'Skipped — no DB connection' };
+    }
+    // Extract system_id references (backtick-wrapped kebab-case ids)
+    const idPattern = /`([a-z0-9][a-z0-9-]{0,62}[a-z0-9])`/g;
+    const invalid = [];
+    let idMatch;
+    while ((idMatch = idPattern.exec(connectedMatch[1])) !== null) {
+        const refId = idMatch[1];
+        // Skip common non-system-id strings
+        if (refId.includes('.') || refId.length < 3)
+            continue;
+        if (!knownSystemIds.has(refId)) {
+            invalid.push(refId);
+        }
+    }
+    return {
+        check: 'connected-systems',
+        file,
+        passed: invalid.length === 0,
+        reason: invalid.length > 0 ? `Unknown system_ids: ${invalid.join(', ')}` : undefined,
+    };
+}
+function checkNoPII(file, content) {
+    const body = extractAutogeneratedBody(content) || content;
+    const found = [];
+    for (const pattern of PII_PATTERNS) {
+        const match = body.match(pattern);
+        if (match) {
+            // Allow common false positives
+            const val = match[0];
+            // Skip email-like patterns that are clearly example/placeholder
+            if (val.includes('@example.') || val.includes('@ci.') || val.includes('@test.'))
+                continue;
+            // Skip IPs that are localhost or common internal
+            if (val === '127.0.0.1' || val === '0.0.0.0' || val.startsWith('192.168.') || val.startsWith('10.'))
+                continue;
+            found.push(`${pattern.source.substring(0, 30)}... → "${val}"`);
+        }
+    }
+    return {
+        check: 'no-pii',
+        file,
+        passed: found.length === 0,
+        reason: found.length > 0 ? `Potential PII found: ${found.join('; ')}` : undefined,
+    };
+}
+// ── Supabase Setup (Optional) ───────────────────────────────────────────
+async function loadKnownSystemIds() {
+    const supabaseUrl = process.env.SUPABASE_URL || process.env.NEXT_PUBLIC_SUPABASE_URL;
+    const supabaseKey = process.env.SUPABASE_SECRET_KEY;
+    const userId = process.env.EKKOS_ADMIN_USER_ID;
+    if (!supabaseUrl || !supabaseKey || !userId) {
+        console.log('[Validator] No Supabase credentials — skipping DB-dependent checks');
+        return null;
+    }
+    try {
+        const supabase = (0, supabase_js_1.createClient)(supabaseUrl, supabaseKey);
+        const { data } = await supabase
+            .from('system_registry')
+            .select('system_id')
+            .eq('user_id', userId);
+        if (!data)
+            return null;
+        return new Set(data.map((r) => r.system_id));
+    }
+    catch (err) {
+        console.log('[Validator] Supabase query failed — skipping DB-dependent checks');
+        return null;
+    }
+}
+// ── Main Validator ──────────────────────────────────────────────────────
+async function validateLivingDocsCommand(options) {
+    const { repoRoot, fix, systemFilter } = options;
+    console.log(`[Cortex] Scanning ${repoRoot} for ekkOS_CONTEXT.md files...`);
+    const files = findContextFiles(repoRoot, systemFilter);
+    if (files.length === 0) {
+        console.log('[Cortex] No ekkOS_CONTEXT.md files found');
+        return 0;
+    }
+    console.log(`[Cortex] Found ${files.length} files to validate\n`);
+    // Load known system_ids from Supabase (optional)
+    const knownSystemIds = await loadKnownSystemIds();
+    const results = [];
+    let fixCount = 0;
+    for (const file of files) {
+        const relPath = (0, path_1.relative)(repoRoot, file);
+        let content;
+        try {
+            content = await (0, promises_1.readFile)(file, 'utf-8');
+        }
+        catch (err) {
+            results.push({ check: 'file-readable', file: relPath, passed: false, reason: `Cannot read file: ${err}` });
+            continue;
+        }
+        // Run all 12 checks
+        results.push(checkFrontmatterExists(relPath, content));
+        results.push(checkRequiredFields(relPath, content));
+        const hashResult = checkContentHash(file, content, fix);
+        if (hashResult.fixApplied)
+            fixCount++;
+        results.push({ check: hashResult.check, file: relPath, passed: hashResult.passed, reason: hashResult.reason });
+        results.push(checkAutogeneratedMarkers(relPath, content));
+        results.push(checkConfidenceValid(relPath, content));
+        results.push(checkNoSecrets(relPath, content));
+        results.push(checkTokenBudget(relPath, content));
+        results.push(checkDreamQuarantine(relPath, content));
+        const inventedResult = checkNoInventedPaths(repoRoot, file, content);
+        results.push({ ...inventedResult, file: relPath });
+        results.push(checkStaleness(relPath, content));
+        results.push(await checkConnectedSystems(relPath, content, knownSystemIds));
+        results.push(checkNoPII(relPath, content));
+    }
+    // Output results
+    const passed = results.filter(r => r.passed);
+    const failed = results.filter(r => !r.passed);
+    console.log('─'.repeat(72));
+    console.log('ekkOS CORTEX VALIDATION RESULTS');
+    console.log('─'.repeat(72));
+    // Print passed checks (grouped by file)
+    for (const r of passed) {
+        console.log(`  \u2713 ${r.check}: ${r.file}`);
+    }
+    // Print failed checks
+    if (failed.length > 0) {
+        console.log('');
+        for (const r of failed) {
+            console.log(`  \u2717 ${r.check}: ${r.file} \u2014 ${r.reason}`);
+        }
+    }
+    console.log('');
+    console.log('─'.repeat(72));
+    console.log(`SUMMARY: ${passed.length} passed, ${failed.length} failed across ${files.length} files`);
+    if (fixCount > 0) {
+        console.log(`AUTO-FIXED: ${fixCount} content hashes regenerated`);
+    }
+    console.log('─'.repeat(72));
+    return failed.length > 0 ? 1 : 0;
+}